[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: vnconfig with additional keyfile



Hello,

i have thought about my patch again and come to the conclusion it's 
just a hack. There should be a separate tool (svndctl) which supports 
aes and bf encryption (with different key length). 
Furthermore it should be possible to change the password for a 
key file, so if I think my password is sniffed over my shoulder 
=> I could easily change it. 
But I think it's behind my programming skills.

Even better would be a kernel support for the svndctl functionality.
So OpenBSD could provide and easy root partition encryption! 
But this is way behind my programming skills.

I know "Shut up and hack". But i cannot hack the support, 
so I just shut up.

so long,

Marcus.


On Sunday 23 October 2005 22:34, Marcus Popp wrote:
> Hi,
>
> i've made the attached patch for vnconfig.c to allow an additional
> keyfile. This way I can build up a two way authentication (keyfile on
> my usb stick) and can use a really long encryption key.
> usage: vnconfig -K /path/key svnd0 /path/secret
>
> My diff was inspired by the code of tedu@ and Nikolai Fetissov.
> I'm not a c-guru => fixes welcome.
>
> I would provide diffs for the manual pages, if somebody cares.
>
> so long,
>
> Marcus.
>
> --- vnconfig.org        Sun Oct 23 00:47:11 2005
> +++ vnconfig.c  Sun Oct 23 22:25:16 2005
> @@ -42,6 +42,8 @@
>  #include <sys/mount.h>
>  #include <sys/stat.h>
>
> +#include <crypto/blf.h>
> +
>  #include <dev/vndioctl.h>
>
>  #include <err.h>
> @@ -60,11 +62,14 @@
>  #define VND_UNCONFIG   2
>  #define VND_GET                3
>
> +#define KEY_LEN (_PASSWORD_LEN+1)
> +
>  int verbose = 0;
>
>  __dead void usage(void);
>  int config(char *, char *, int, char *);
>  int getinfo(const char *);
> +char* computekey(const char *);
>
>  int
>  main(int argc, char **argv)
> @@ -72,7 +77,7 @@
>         int ch, rv, action = VND_CONFIG;
>         char *key = NULL;
>
> -       while ((ch = getopt(argc, argv, "cluvk")) != -1) {
> +       while ((ch = getopt(argc, argv, "cluvkK:")) != -1) {
>                 switch (ch) {
>                 case 'c':
>                         action = VND_CONFIG;
> @@ -86,6 +91,9 @@
>                 case 'v':
>                         verbose = 1;
>                         break;
> +               case 'K':
> +                       key = computekey(optarg);
> +                       break;
>                 case 'k':
>                         key = getpass("Encryption key: ");
>                         break;
> @@ -208,7 +216,52 @@
>
>         (void)fprintf(stderr,
>             "usage: %s [-c] [-vk] rawdev regular-file\n"
> +           "       %s [-c] [-vK] key-file rawdev regular-file\n"
>             "       %s -u [-v] rawdev\n"
> -           "       %s -l [rawdev]\n", __progname, __progname, __progname);
> +           "       %s -l [rawdev]\n", __progname, __progname, __progname,
> __progname); exit(1);
> +}
> +
> +char*
> +computekey(const char *filename)
> +{
> +       static char key[KEY_LEN+1];
> +       char *keybuf;
> +       char encbuf[128];
> +       FILE *f;
> +
> +       keybuf = getpass("Encryption key: ");
> +       if (!keybuf || strlen(keybuf) == 0)
> +               errx(1 ,"Need an encryption key!");
> +       else
> +               strncpy(encbuf, keybuf, sizeof(encbuf));
> +
> +       bzero(key, KEY_LEN);
> +
> +       if (verbose)
> +               printf("reading key from %s\n", filename);
> +
> +       f = fopen(filename, "r");
> +       if (f == NULL)
> +               err(1, "Unable to open: %s", filename);
> +       if (fgets(key, KEY_LEN, f) == NULL) {
> +               fclose(f);
> +               err(1, "file: %s is empty!", filename);
> +       } else {
> +               // remove newline
> +               int len = strlen(key);
> +               if (len > 0 && key[len-1] == '\n')
> +                       key[len-1] = '\0';
> +       }
> +       fclose(f);
> +
> +       if (strlen(key) <= 1)
> +               errx(1, "empty key from %s", filename);
> +
> +       if (verbose)
> +               printf("generating key\n");
> +       blf_ctx c;
> +       blf_key(&c, (u_int8_t *) encbuf, strlen(encbuf));
> +       blf_enc(&c, (u_int32_t *) key, KEY_LEN);
> +       return (key);
>  }



Visit your host, monkey.org